Re: Losing BPF's

[Guy Harris <guy () alum mit edu>]

Guy Harris wrote:

> I can't reproduce this on OS X 10.4 - I get
>
>     $ sudo ./bpfMaker.pl en1
>     BPF's at startup:        0
>     BPF's upon ending:        0

...with a version of bpftest.c fixed so that, if pcap_open_live() fails, 
it returns before calling pcap_loop() (otherwise, it dumps core, which 
takes a significant amount of time on OS X - OS X core files are huge).

I've attached the source to that version.

#include <pcap.h>
#include <stdlib.h>
#include <stdio.h>
#include <stdarg.h>
#include <signal.h>

// Opens a pcap connection to the given device and does nothing with
// the packets. Closes the pcap connection when the program
// is terminated.

char errBuf[PCAP_ERRBUF_SIZE];
pcap_t *sessionHandle;

void receivePacket(u_char *args, const struct pcap_pkthdr *header,
                   const u_char *packet);
void terminateOnSignal(int signal);

int main(int argc, char *argv[]) {
    int status;

    if (argc == 1) {
        fprintf(stderr, "Please provide the name of the ethernet device\n");
        return 1;
    }

    signal(SIGINT, terminateOnSignal);
    signal(SIGQUIT, terminateOnSignal);
    signal(SIGTRAP, terminateOnSignal);
    signal(SIGABRT, terminateOnSignal);
    signal(SIGTERM, terminateOnSignal);

    sessionHandle = pcap_open_live(argv[1], 2000, 1, 1000, errBuf);

    if (sessionHandle == NULL) {
        fprintf(stderr, "Error opening pcap connection: %s\n", errBuf);
        return 2;
    }

    status = pcap_loop(sessionHandle, -1, receivePacket, NULL);

    fprintf(stderr, "Abnormal program termination\n");
    return 2;
}

void receivePacket(u_char *args, const struct pcap_pkthdr *header,
                   const u_char *packet) {
    return;
}

void terminateOnSignal(int signal) {
    if ( sessionHandle )
        pcap_close(sessionHandle);

    exit(99);
}

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.